PCI DSS is the result of a collaboration of the major credit card associations to establish a single data security standard designed to protect sensitive cardholder information. Any entity that stores, processes or transmits cardholder data (including credit and debit cards) must comply with PCI DSS requirements.

Any entity that stores, processes or transmits cardholder data (including credit and debit cards) must comply with PCI DSS requirements.

4. What can happen if I am not in compliance with PCI DSS?

Non-compliance can result in fines and remedial efforts that could easily exceed $1 million. Costs include fines, forensic exams, cardholder notifications, setup of a call center, credit monitoring and more costly compliance requirements. Such costs would be the responsibility of the merchant.

Risk exposing customers (students, faculty/staff and general public) to fraud and identity theft

Breach of cardholder information can result in negative publicity and damage to SIUÃ¢s reputation

Non-compliance can result in the loss of credit card and debit card acceptance privileges

5. Who do I contact if I believe credit card information may have been compromised?

Annual training is required for personnel involved in credit card processing in one of the following categories:

Has access to cardholder data

Fiscal officer of account in which credit card payments are credited and/or their delegate.

Handles credit card payments as part of their regular job duties. Personnel who handle credit card payments on a one time or temporary basis are recommended to attend training, but not required. Personnel whose only contact with credit card information is to swipe cards through a credit card acceptance device, e.g., POS terminal, are not required to attend training.

7. What credit card information can I store?

When required for business purposes, the following information may be stored:

Primary Account Number (PAN)

Cardholder Name*

Service Code*

Expiration Date*

*Any of these elements being stored in conjunction with the primary account number must be protected in accordance with PCI DSS requirements

The following information may never be stored subsequent to authorization: